To use these scripts:

1. To use OpenSSL that you've compiled from source, edit environment.sh to 
   indicate where you've put it. 
   Default is to use $GEMSTONE/bin/openssl .
   openssl shipped with Ubuntu 14, 16 and current versions of Redhat will not work.

2. The following environment variables are required:
   GEMSTONE - The root GemStone product tree
    or
   OPENSSL_PREFIX_DIR - prefixDir used when building openssl from source.

   The env vars are used to locate the correct openssl executable.
   If $OPENSSL_PREFIX_DIR is defined, then $OPENSSL_PREFIX_DIR/bin/openssl is used.
   If $OPENSSL_PREFIX_DIR is not defined, then $GEMSTONE/bin/openssl is used.
   If neither $OPENSSL_PREFIX_DIR nor  $GEMSTONE are defined then an error is raised.

   GEMSTONE_CERT_DIR - A directory where newly created certificates and
                       subdirectories will be placed. Directory structure is
		       shown below.
		      
3. Create a new stone CA:
  A) If the stone CA cert will be self-signed:
       Run the "newstone" script.  This will create a self-signed stone
       CA certificate.

  B) If the stone CA cert will be signed by an external CA:
       Run the "newstone_csr" script.  This will create a certificate signing
       request (CSR) which can be used by the external CA to create the stone
       CA certificate. Once you have received the signed stone CA cert, copy
       the file to the location shown by the newstone_csr script.

4. Create the user CA cert for the stone by running the newuserCA script. This
   creates an intermediate CA which will sign user certificates for this stone.
  
5. Create the host CA cert for the stone by running the newhostCA script. This
   creates an intermediate CA which will sign host certificates for this stone.
   
6. Create each new user or host certificate chain with the "newuser" or "newhost"
   scripts respectively. 
   Each GemStone user profile needs its own user certificate for a given stone,
   and every host computer which accesses the stone needs its own host certificate.
   User and host certificates may not be shared across multiple stones.

   Note that the certificate chain files (*.chain.pem) must be used so that the 
   intermediate host or user CA cert is included. Using the host or user cert 
   alone WILL NOT WORK. 

7. To debug, set the env var GEMSTONE_CERT_DEBUG. This will display commands as
   they are run and show the direct output from openssl.
   
See comments within each script for usage information.

Certificates and private keys will be in the GEMSTONE_CERT_DIR directory.

GEMSTONE_CERT_DIR directory structure:

$GEMSTONE_CERT_DIR
 |
 -stones
   |
   -Stone1
     |--stoneCA
     |--users
       |--user1
       |--user2
     |--hosts
       |--host1
       |--host2
   -Stone2
     |--stoneCA
     |--users
       |--user1
       |--user2
     |--hosts   
       |--host1
       |--host2


Certificate Heirarchy With Self Signed Stone CA:
           
	
		 StoneCA (self signed)
		   |
	-----------------------
        |                     |
      hostCA		    userCA
      |			    |
      -host1		    -user1
      -host2		    -user2
      -host3		    -user3



Certificate Heirarchy With External Root CA:

                 RootCA (self signed)
		   |
		 StoneCA
		   |
	-----------------------
        |                     |
      hostCA		    userCA
      |			    |
      -host1		    -user1
      -host2		    -user2
      -host3		    -user3


